NSS Labs Backs Global Bounty Program to Cut Software Flaw Prevalence

By Robert Lemos |
Posted 2013-12-19

Software firms' tepid approach to increasing the focus on security in the application development process has failed to staunch the flow of reports of new software flaws, but a global vulnerability purchasing program could help, argued a report published on Dec. 18 by security-information firm NSS Labs.

In 2012, the number of vulnerabilities reported in software programs increased for the first time in five years and this year will likely equal or surpass that mark, according to data from the National Vulnerability Database. While the number of software flaws considered critical security threats has declined, attackers continue to have little trouble finding a software flaw to exploit.

The glut of security flaws is a prime reason that damaging digital attacks continue to plague companies, Stefan Frei, research director for NSS Labs, told eWEEK. While some software firms have begun training programmers in secure development techniques and using automation to catch bugs in code, most of the efforts have yet to bear fruit, Frei said.

Out of 10 major software vendors—including Adobe, Apple, IBM and Oracle—only Microsoft has reduced the number of flaws reported in its products to below its five-year and 10-year average, according to NSS Labs' data.

"On the very large scale, doing more of the same has not solved our problems," Frei said. "As it is right now, the system is fragile."

The report, which uses previous NSS Labs vulnerability analyses, estimates that a bounty program to buy serious vulnerabilities in popular software could make a dramatic difference in the cyber-criminal economy. While costing a fraction of the total cost of cyber-crime, the program could remove potential vectors of attack from the market, Frei said.

"Today, most of the vulnerabilities are reported to the vendor for free," Frei said. "We rely 100 percent on the altruism of the researcher, while at the same time there is an expanding market from government agencies and criminals to offer extremely high rewards for the same information."

Bug bounty programs have gained increasing popularity. In 2002, iDefense created the Vulnerability Contributor Program, paying security researchers for vulnerabilities in other companies' products. Since then, a number of vendors—such as Mozilla, Facebook and Google—have started rewarding researchers for bug reports. After refusing to pay for vulnerability research, Microsoft agreed to award prizes for any exploitation techniques that can bypass the defenses of the current version of Windows.

A program to buy each reported vulnerability for $150,000—a significant bounty by today's standards—would cost $444 million if the initiative purchased every flaw discovered in the top-50 products in 2012. While that sum may seem excessive, it represents less the 5 percent of the total cost of cyber-crime, estimated to be at least $10 billion, NSS Labs stated in the report.

If implemented as an international program, with local groups that would receive submissions and a number of assessment centers that would randomly be assigned the task of checking the information, the program could work to remove much of the supply of vulnerabilities, Frei said.